SafeLine — Self-Hosted Web Application Firewall

Introduction

SafeLine is a self-hosted Web Application Firewall (WAF) by Chaitin Technology that uses semantic analysis rather than traditional regex rules to detect attacks. This approach dramatically reduces false positives while catching sophisticated SQL injection, XSS, and code injection attacks that rule-based WAFs miss.

What SafeLine Does

• Inspects HTTP/HTTPS traffic and blocks malicious requests before they reach your application
• Detects SQL injection, XSS, command injection, and path traversal using semantic analysis
• Acts as a reverse proxy with automatic HTTPS, load balancing, and rate limiting
• Provides a real-time dashboard showing attack statistics, blocked requests, and traffic patterns
• Supports custom rules, IP allowlists/blocklists, and geo-based access control

Architecture Overview

SafeLine consists of a detection engine written in C++ for high-performance traffic analysis, a management API in Go, and a web dashboard built with React. The semantic analysis engine parses request parameters as code (SQL, JavaScript, shell) and analyzes their abstract syntax trees to determine malicious intent. It runs as a set of Docker containers behind an Nginx-based traffic proxy.

Self-Hosting & Configuration

• Install via a single bash script on any Linux server with Docker
• Configure upstream web servers and SSL certificates through the web dashboard
• Set protection levels per site from monitor-only to strict blocking mode
• Enable bot protection with CAPTCHA challenges and JavaScript verification
• Manage rules, IP lists, and rate limits through the management interface

Key Features

• Semantic analysis engine with near-zero false positive rate on real-world traffic
• Automatic HTTPS with Let's Encrypt integration and certificate management
• Built-in bot detection with JavaScript challenge and CAPTCHA verification
• Real-time attack visualization with detailed request inspection and replay
• Multi-site support with per-site protection policies and independent configurations

Comparison with Similar Tools

• ModSecurity — Industry-standard WAF with regex-based rules, but high false positive rates and complex tuning
• Cloudflare WAF — Cloud-based with global CDN, but requires routing traffic through a third party
• NAXSI — Lightweight Nginx WAF module, but limited detection capabilities and manual rule creation
• Coraza — Open-source ModSecurity-compatible WAF in Go, but still relies on traditional rule sets
• BunkerWeb — Docker-first web security with ModSecurity integration, broader scope but less detection precision

FAQ

Q: How is semantic analysis different from regex-based detection? A: Regex rules match text patterns and produce many false positives. Semantic analysis parses input as actual code (SQL, JS, shell) and evaluates whether it forms a valid attack, yielding far fewer false alarms.

Q: Will SafeLine slow down my website? A: SafeLine adds minimal latency (typically under 2ms per request) thanks to its C++ detection engine and efficient proxy layer.

Q: Can I use SafeLine alongside Cloudflare or a CDN? A: Yes. Place SafeLine between your CDN and origin server. Configure it to read the real client IP from X-Forwarded-For or CF-Connecting-IP headers.

Q: Does SafeLine support API protection? A: Yes. SafeLine inspects JSON and XML request bodies in addition to URL parameters, headers, and cookies, making it effective for REST and GraphQL APIs.

Sources

• https://github.com/chaitin/SafeLine
• https://waf.chaitin.com